Authentication with Java EE

Question

I want to implement something like facebook as where you enter the page, login (with name and password) and navigate in the other pages once authenticated. But if you are not authenticated you cannot see the other pages (you are redirected to the login page). What's the best way to do this by using Java EE?

Answer 1

You can use Spring Security. It has all the features you require. Spring Security provides comprehensive security services for Java EE-based enterprise software applications.

Key authentication features

Comprehensive and extensible support for both Authentication and Authorization

Protection against attacks like session fixation, clickjacking, cross site request forgery, etc

Servlet API integration

Optional integration with Spring Web MVC

Answer 2

To cite the Oracle documentation:

The Sun Java System Application Server security model is based on an authenticated user session. Once a session has been created the application user is authenticated (if authentication is used) and logged in to the session. Each interaction step from the servlet that receives an EJB request does two things: generates content for a JSP to format the output, and checks that the user is properly authenticated.

A session means HTTP(S) requests which are identified and tagged by the server to belong together. The servlet can identify a new request belonging to a known session and can persist information along the requests of a session. Using this it will only return the proper content, if it has memorized that the user has successfully authenticated during that session (if that mechanism has been configured).

Thus read about session (link above) and then continue with the documentation on authentication, e.g. see here.